ubuntu-appstore-developers team mailing list archive

[Łukasz Czyżykowski <lukasz.czyzykowski@xxxxxxxxxxxxx>]

Because of security risk devportal currently allows uploading of SVG icons,
but renders them on the server and only saves resulting PNG, which is later
served to clients.

​Cheers​


On 22 April 2014 23:51, Ted Gould <ted@xxxxxxxxxx> wrote:

>  On Tue, 2014-04-22 at 13:31 -0400, Rodney Dawes wrote:
>
> On Tue, 2014-04-22 at 17:59 +0200, Jonas Drange wrote:> On Tue, Apr 22, 2014 at 5:43 PM, Rodney Dawes> <rodney.dawes@xxxxxxxxxxxxx> wrote:>         My suggestion wasn't to replace all the PNGs with SVGs. In>         some cases>         that's just not feasible, because the images were drawn with>         raster>         editors anyway. But making SVG an option on upload, will let>         people who>         want to use it, use it, and can certainly help reduce file>         size for>         transferring the icon. I'd certainly want to be able to use it>         for any>         apps I were to make.> > > Aren't user uploaded SVGs a potential security risk? Is it possible to> completely sanitize an SVG document?
>
> How so? Sure it's possible to sanitize it. But I don't see how it's any
> more of a security risk than someone uploading a PNG or JPEG that
> exploits a problem in libpng or libjpeg.
>
>
> Because of embedded Javascript. Mostly if you ignore the script tag (or
> don't implement it) you're in good shape. But the JS could be rendering the
> graphic in some cases. (i.e. and icon that changed with the phase of the
> moon).
>
> http://commons.wikimedia.org/wiki/Help:SVG
>
> For the most part as long as we render to a bitmap with a confined
> converter things work well, or run through a sanitizer in the same
> conditions.
>
> Ted
>
>
> --
> Mailing list: https://launchpad.net/~ubuntu-appstore-developers
> Post to     : ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers
> More help   : https://help.launchpad.net/ListHelp
>
>